mkeeler
commented
5 years ago Another case for the "other ip whitelist" is if the "remote" gateway mode is used where sidecars talk directly to the gateways in a remote datacenter instead of using a local egress gateway.
Scope:
Consul 1.6.0 adds mesh-gateways as a way to route service traffic between disconnected networks like separate regions without exposing all service nodes to the shared network/WAN.
When deploying on public WAN, while mTLS prevents unauthorized access, being exposed to the world creates DOS risks. These can only truly be mitigated by restricting network access from the public internet at a lower level in the network since even if we reject them directly in Envoy it still consumes some kernel and user space resources to open the connection etc.
That said, it would be really nice given that we already know all the public IPs of all the other DC's gateways that should be allowed to talk to us, if we could configure Envoy to reject connections from any other IP outright rather than proxying them and having the eventual sidecar fail AuthZ.
It should be possible to configure this using Envoy's RBAC network filter: https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/rbac/v2/rbac.proto#envoy-api-msg-config-rbac-v2-rbac.
We probably need it to be opt-in (or at least opt-out) and to also allow centrally configuring some other set of IPs to add to the whitelists, for example when routing traffic from an external mesh or from a developer's laptop through a gateway.